Thursday, January 19, 2017

Even though instant messaging apps like WhatsApp and Facebook Messenger have gotten immensely popular, Email's

Gmail users beware, there's a new online scam targeting you. Termed Gmail phishing, it is said to be fooling even the technology-savvy users.

The scam has been discovered by Mark Maunder, CEO of WordPress security service Wordfence. According to Maunder, the scam has managed to convince even "experienced technical users", and is targeting other services in addition to Gmail.

The way the attack works is that an attacker sends an email to a Gmail user's account. The email is likely to come from someone you knows and who has had his account hacked using this same technique. It may also include an attachment that looks like something that you previously sent to this contact and is also likely to have a relevant subject line.

Once you will clicks on the image/attachment, expecting Gmail to give a preview of the attachment, it will instead open a new tab and prompts to sign-in into Gmail again. And once you sign-in, you fall into the trap laid by the hacker. It is very likely that the victims might not easily notice the hack, as a glance at the location bar shows 'accounts.google.com' in there.

Once the hackers get access to your account, they gain complete access to all your emails including an entire lot of emails sent and received. Chances are quite high that once they control the email address, they can also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts and more.

How to protect yourself from the attack

When you sign-in to any service, check the browser location bar and verify the protocol, then verify the hostname. Make sure that there is nothing before the hostname 'accounts.google.com' other than 'https://' and the lock symbol. You should also take special note of the green colour and lock symbol that appears on the left. If you can't verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.

Similarly, you can also enable two-factor authentication if it is available on every service that you use. Enabling two-factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique.